From 02f062b5b7d8013e8d58a9c7e244aa8637b8062c Mon Sep 17 00:00:00 2001 From: comfyanonymous Date: Sun, 5 Nov 2023 12:29:28 -0500 Subject: [PATCH] Sanitize unknown node types on load to prevent XSS. --- web/scripts/app.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/web/scripts/app.js b/web/scripts/app.js index 583310a2..638afd56 100644 --- a/web/scripts/app.js +++ b/web/scripts/app.js @@ -5,6 +5,22 @@ import { api } from "./api.js"; import { defaultGraph } from "./defaultGraph.js"; import { getPngMetadata, getWebpMetadata, importA1111, getLatentMetadata } from "./pnginfo.js"; + +function sanitizeNodeName(string) { + let entityMap = { + '&': '', + '<': '', + '>': '', + '"': '', + "'": '', + '`': '', + '=': '' + }; + return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) { + return entityMap[s]; + }); +} + /** * @typedef {import("types/comfy").ComfyExtension} ComfyExtension */ @@ -1480,6 +1496,7 @@ export class ComfyApp { // Find missing node types if (!(n.type in LiteGraph.registered_node_types)) { + n.type = sanitizeNodeName(n.type); missingNodeTypes.push(n.type); } }